2013–14 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting

2013–14 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting

1 Introduction

1.1 Authority, mandate, and program activities

1.2 Financial highlights

1.3 Service arrangements relevant to financial statements

1.4 Material changes in the fiscal year 2013–14

2 The Control Environment Relevant to ICFR

2.1 Key positions, roles, and responsibilities

2.2 Key measures taken

3 Assessment of the OAG’s System of ICFR

3.1 Assessment baseline

3.2 Assessment method

4 Assessment Results

4.1 Design effectiveness

4.2 Operating effectiveness

4.3 Conclusion

5 The Action Plan

5.1 Progress made during the fiscal year ending 31 March 2014

5.2 Action plan for future years

Note to the reader

The Treasury Board Policy on Internal Control requires that organizations demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, organizations are expected to conduct annual assessments of their system of ICFR, establish action plans to address any necessary adjustments, and attach a summary of their assessment results and action plan to their Statement of Management Responsibility.

Effective systems of ICFR aim to produce reliable financial statements and to provide assurance that:

The system of ICFR is not designed to eliminate risks, but rather to mitigate risks to a reasonable level, with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify and prioritize risks and the controls to mitigate these risks, as well as to monitor the system’s performance in support of continuous improvement. As a result, the scope, pace, and status of organizations’ assessments of the effectiveness of their systems of ICFR varies from one organization to another, based on risks and each organization’s unique circumstances.

1 Introduction

This document is attached to the Office of the Auditor General’s (OAG) Statement of Management Responsibility, including Internal Control over Financial Reporting, for the 2013–14 fiscal year. As required by the Treasury Board Policy on Internal Control, this document provides summary information on the measures taken by the OAG to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the OAG’s assessment as of 31 March 2014, including progress, results, and related action plans along with some financial highlights pertinent to understanding the control environment unique to the OAG.

1.1 Authority, mandate, and program activities

Detailed information on the OAG’s authority, mandate, and program activities can be found in its Departmental Performance Report and Report on Plans and Priorities.

1.2 Financial highlights

The OAG’s annual audited financial statements for the fiscal year ended 31 March 2014 can be found in its Departmental Performance Report. Financial information can also be found in the Public Accounts of Canada.

1.3 Service arrangements relevant to financial statements

The OAG relies on other organizations for processing certain transactions recorded in its financial statements:

1.4 Material changes in the fiscal year 2013–14

Changes in operations

In the fiscal year 2013–14, there have been no significant changes to the OAG’s authorities and no changes in its operations that would have an impact on the financial statements, which continue to be prepared in accordance with Canadian Public Sector Accounting Standards.

Changes in key personnel

The Auditor General, Michael Ferguson made the following appointments:

There were no other changes in key personnel during the fiscal year.

Changes to the terms and conditions of employment

There were no changes to the terms and conditions of employment.

2 The Control Environment Relevant to ICFR

The OAG recognizes the importance of setting the tone, starting with senior management, to help ensure that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise their responsibilities effectively. The Executive Committee provides overall direction and oversight for the OAG. It is supported by the Finance and Corporate Services committees, which conduct due diligence and provide advice on the development and implementation of OAG policies and controls, as well as other matters. An independent audit committee oversees key aspects of values and ethics, risk management, internal controls, external audit of our financial statements, quality management, practice review and internal audit function, and accountability reporting.

The OAG’s organizational structure is clearly defined, and the lines of authority and responsibility are well established. Staff members are qualified and trained, and formal job descriptions are in place. An OAG code of values, ethics, and professional conduct sets out (in detail) the values and the ethical, professional, and other standards that guide staff in their work.

An integrated risk management framework is in place based on the enterprise risk management model of the Committee of Sponsoring Organizations of the Treadway Commission. The framework is monitored and updated regularly.

The OAG’s Practice Review and Internal Audit function, which reports directly to the Auditor General, prepares an annual internal audit plan. The plan is based on a systematic assessment of business risk, which is developed using the risk management framework and other inputs. Internal audits assess significant administrative systems on a rotational basis. Practice reviews of audit practitioners assess the implementation of our System of Quality Control and make recommendations to improve the conduct of our audits. They may also make observations to improve the system’s design.

2.1 Key positions, roles, and responsibilities

The following are the key positions and committees with responsibilities for maintaining and reviewing the effectiveness of the OAG’s system of ICFR:

Auditor General (AG). As the OAG’s Accounting Officer, the AG assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The AG chairs the Executive Committee.

Chief Financial Officer (CFO). The CFO reports directly to the Auditor General and provides leadership for the coordination, coherence, and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Chief Information Officer (CIO). The CIO is responsible for leading our Information Technology and Security, and Knowledge Management groups, as well as special IT projects.

Senior Managers. Senior managers are responsible for maintaining and reviewing the effectiveness of their system of ICFR that falls within their mandate.

Chief Audit Executive (CAE). The CAE reports directly to the Auditor General and provides assurance through periodic practice reviews and internal audits, which are instrumental to the maintenance of an effective system of ICFR.

OAG Audit Committee. The Audit Committee is an independent advisory committee that provides the Auditor General with objective views on the OAG risk management, control, and governance frameworks. The Audit Committee also recommends for approval the annual Report on Plans and Priorities and the Departmental Performance Report (including audited financial statements) to the Executive Committee. The Auditor General is a member of the Audit Committee.

Executive Committee. The Executive Committee is the central decision-making body; it approves and monitors the OAG Risk Management Framework and the system of internal control, including the assessment and action plans related to ICFR. The committee, which includes the Auditor General, the Commissioner of the Environment and Sustainable Development, assistant auditors general, the Senior Principal responsible for Communications, and the Senior Legal Counsel, sets policy and provides overall professional administrative direction for the OAG.

2.2 Key measures taken

The OAG’s control environment equips its staff to manage risks well by raising awareness, providing appropriate knowledge and tools, and developing skills. Key control measures include the following:

3 Assessment of the OAG’s System of ICFR

3.1 Assessment baseline

The external auditors conduct an annual controls-based audit and are actively engaged (at least twice per year) through their attendance at audit committee meetings. As part of the requirements of the Treasury Board’s Policy on Internal Control, the OAG is to annually assess both the design and operating effectiveness of key controls over financial reporting in support of continuous improvement.

Design effectiveness is the assurance that key control points are in place and that they are identified, documented, and aligned with the risks (that is, controls are balanced with and proportionate to the risks they aim to mitigate). This includes the mapping of key processes to the main accounts.

Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed. Such testing covers all OAG control levels that include entity, general computer, and business process controls.

Ongoing monitoring means that a system is in place to ensure that risks are mitigated continuously within the main business processes and corrective actions are taken in a timely manner when required.

3.2 Assessment method

This is the fourth annual assessment of the effectiveness of internal controls over financial reporting (ICRF). The review involves testing samples of transactions in each of the main process areas to assess the design and operating effectiveness of the controls. The focus is on the following main processes:

As part of the ongoing annual testing, the team reviews the key IT General Controls, specifically the access and security controls for each of the main processes in the OAG financial system. This ensures that access is only provided to the appropriate staff and that the processes are monitored in a timely manner.

This year, we documented the Budget Review and Cost Monitoring process to ensure the reasonableness of costing OAG products and the related accuracy of time reporting. Next year, we will begin to review this process on a rotational basis.

Each year, the results of the assessment are reported in the Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting, and includes an action plan outlining the work to be done in the following year. In the fiscal year 2013–14, the work to be done is as follows:

4 Assessment Results

In the 2013–14 fiscal year, the OAG’s assessment of internal controls was in large part a continuation of the first three assessments, supplemented with additional in-depth reviews of the Operating expenditures business process.

4.1 Design effectiveness

When assessing key controls, the OAG reviews whether processes continue to follow the documented procedures. If changes are identified, process descriptions are updated and controls are re-examined to ensure that they continue to be designed in a way that mitigates any associated risks. Our control evaluations performed in the 2013–14 fiscal year confirmed that the identified key controls have not changed significantly and are still appropriately aligned with the risks they aim to mitigate.

4.2 Operating effectiveness

As was the case for the previous assessments, the OAG put together a review team that drew upon the experience of staff who work in audit operations. The team established a work plan, selected sample transactions (following audit methodology used by the OAG), and tested the transactions to ensure that the controls work effectively. The team also reviewed the sample transactions to ensure coverage of key components of the business processes over the entire fiscal year. The sample transactions covered sub-categories of transactions within each cycle and also included a review of ongoing management and monitoring controls applicable to all cycles. The following summarizes what was done for each of the main business processes:

4.3 Conclusion

The internal control system over financial reporting is well designed and functioning effectively. While no significant weaknesses were found, areas of improvement were identified for which follow-up actions have either been completed or are under way.

5 The Action Plan

5.1 Progress made during the fiscal year ending 31 March 2014

In addition to assessing design and operating effectiveness of key controls in the main business processes, the Office addressed the action plan items identified in the fiscal year 2012–13 as follows:

5.2 Action plan for future years

Over the last few years, the OAG has taken several important steps to ensure that an effective system of internal control over financial reporting is in place. That being said, on-going efforts to maintain strong controls over the long term are necessary to build on the work already done. The following describes the actions that the OAG plans to take over the next two years:

2014–15

2015–16